Mozilla addresses a number of critical vulnerabilities in Firefox 3, 3.5 and 4, including security flaws affecting Mac OS X users and ASLR issues affecting Windows 7 and Vista users.
Mozilla patched Firefox 4 to
close a major security vulnerability that exposed the browser to attack on all
Windows systems. Mozilla also fixed issues in earlier versions of its popular
addressed a total of 53 bugs in Firefox 4 and earlier, of which
12 were rated "critical" and nine were categorized as "major," Mozilla said
April 28. The majority of the critical issues are related to systems crashing
and freezing while others dealt with issues in which large Adobe PDF documents
could not be properly loaded in the browser.
Mozilla developers fixed
memory corruption bugs (MFSA2011-12) in the browser engine that could be
corrupted under "certain circumstances," according to Mozilla. "With enough
effort, at least some of these could be exploited to run arbitrary code," the
A programming error in
Firefox 4 potentially exposed the latest version of the browser to "two
crashes" that could be remotely exploited to run malicious code, Mozilla said.
The WebGLES graphics libraries that support open-source WebGL were compiled without
ASLR, or Address Space Layout Randomization, protection before they were used
in the Windows versions of Firefox, according to Mozilla advisory MSFA 2011-17.
This is a critical
programming oversight, as ASLR is designed to make it difficult for attackers
to locate addressable memory space to execute exploits. Windows Vista and
Windows 7 rely on ASLR for its security, and attackers would be able to
compromise the operating system by bypassing Firefox's WebGLES libraries.
"An attacker who found
an exploitable memory corruption flaw could then use these libraries to bypass
ASLR on Windows Vista and Windows 7, making the flaw as exploitable on those
platforms as it would be on Windows XP or other platforms," Mozilla said
in its advisory.
WebGL, an open-source
content. It is supported in Firefox, Google's Chrome Web browser, and is
expected to be included in the next versions of Opera and Safari.
Two bugs related to WebGLES
were fixed in Firefox 4.0.1. The bugs are present only in Firefox 4, as WebGL
wasn't used in previous versions of the browser, according to Mozilla.
Mozilla also upgraded
Firefox 3.6 and 3.5, but warned that 3.5.19 was the last planned security and
stability release for Firefox 3.5. Users were encouraged to upgrade to Firefox
4. The update for Firefox 3.6 addressed the same memory corruption bug in
A "dangling pointer" bug
(MFSA2011-13) was fixed in Firefox 3.6. A dangling pointer is a programming
error in which a memory reference remains active even when the object it
pointed to is no longer in use. Another 3.6-specific vulnerability dealt with
privilege escalation in the Java Embedding Plug-in (MFSA2011-15).
"Apple users who
imagine themselves invulnerable simply by virtue of their choice of operating
system, please take note," warned Paul
, head of technology for the Asia-Pacific region for Sophos.
Firefox 4 was launched March
22. Mozilla posted the first build of Firefox 5 on May 2, and expects to have a
first beta release on or around May 17. Mozilla is moving to a six-week product
cycle for its Web browsers.